Bugzilla – Attachment 1999 Details for
Bug 983
Required authentication
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Updated to -current
required_methods.patch (text/plain), 24.70 KB, created by
Paul Sery
on 2011-02-23 09:09:07 AEDT
(
hide
)
Description:
Updated to -current
Filename:
MIME Type:
Creator:
Paul Sery
Created:
2011-02-23 09:09:07 AEDT
Size:
24.70 KB
patch
obsolete
>Index: auth.c >=================================================================== >RCS file: /cvs/openssh/auth.c,v >retrieving revision 1.146 >diff -u -p -r1.146 auth.c >--- auth.c 1 Dec 2010 01:21:51 -0000 1.146 >+++ auth.c 22 Feb 2011 21:32:10 -0000 >@@ -251,7 +251,8 @@ allowed_user(struct passwd * pw) > } > > void >-auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) >+auth_log(Authctxt *authctxt, int authenticated, const char *method, >+ const char *submethod, const char *info) > { > void (*authlog) (const char *fmt,...) = verbose; > char *authmsg; >@@ -271,9 +272,10 @@ auth_log(Authctxt *authctxt, int authent > else > authmsg = authenticated ? "Accepted" : "Failed"; > >- authlog("%s %s for %s%.100s from %.200s port %d%s", >+ authlog("%s %s%s%s for %s%.100s from %.200s port %d%s", > authmsg, > method, >+ submethod == NULL ? "" : "/", submethod == NULL ? "" : submethod, > authctxt->valid ? "" : "invalid user ", > authctxt->user, > get_remote_ipaddr(), >@@ -303,7 +305,7 @@ auth_log(Authctxt *authctxt, int authent > * Check whether root logins are disallowed. > */ > int >-auth_root_allowed(char *method) >+auth_root_allowed(const char *method) > { > switch (options.permit_root_login) { > case PERMIT_YES: >@@ -707,4 +709,58 @@ fakepw(void) > fake.pw_shell = "/nonexist"; > > return (&fake); >+} >+ >+int >+auth_method_in_list(const char *list, const char *method) >+{ >+ char *cp; >+ >+ cp = match_list(method, list, NULL); >+ if (cp != NULL) { >+ xfree(cp); >+ return 1; >+ } >+ >+ return 0; >+} >+ >+#define DELIM "," >+int >+auth_remove_from_list(char **list, const char *method) >+{ >+ char *oldlist, *cp, *newlist = NULL; >+ u_int len = 0, ret = 0; >+ >+ if (list == NULL || *list == NULL) >+ return (0); >+ >+ oldlist = *list; >+ len = strlen(oldlist) + 1; >+ newlist = xmalloc(len); >+ memset(newlist, '\0', len); >+ >+ /* Remove method from list, if present */ >+ for (;;) { >+ if ((cp = strsep(&oldlist, DELIM)) == NULL) >+ break; >+ if (*cp == '\0') >+ continue; >+ if (strcmp(cp, method) != 0) { >+ if (*newlist != '\0') >+ strlcat(newlist, DELIM, len); >+ strlcat(newlist, cp, len); >+ } else >+ ret++; >+ } >+ >+ /* Return NULL instead of empty list */ >+ if (*newlist == '\0') { >+ xfree(newlist); >+ newlist = NULL; >+ } >+ xfree(*list); >+ *list = newlist; >+ >+ return (ret); > } >Index: auth.h >=================================================================== >RCS file: /cvs/openssh/auth.h,v >retrieving revision 1.84 >diff -u -p -r1.84 auth.h >--- auth.h 10 May 2010 01:58:03 -0000 1.84 >+++ auth.h 22 Feb 2011 21:32:14 -0000 >@@ -141,10 +141,11 @@ void disable_forwarding(void); > void do_authentication(Authctxt *); > void do_authentication2(Authctxt *); > >-void auth_log(Authctxt *, int, char *, char *); >-void userauth_finish(Authctxt *, int, char *); >+void auth_log(Authctxt *, int, const char *, const char *, const char *); >+void userauth_finish(Authctxt *, int, const char *, const char *); >+int auth_root_allowed(const char *); >+ > void userauth_send_banner(const char *); >-int auth_root_allowed(char *); > > char *auth2_read_banner(void); > >@@ -192,6 +193,11 @@ void auth_debug_send(void); > void auth_debug_reset(void); > > struct passwd *fakepw(void); >+int auth_method_in_list(const char *, const char *); >+int auth_remove_from_list(char **, const char *); >+ >+int auth1_check_required(const char *); >+int auth2_check_required(const char *); > > int sys_auth_passwd(Authctxt *, const char *); > >Index: auth1.c >=================================================================== >RCS file: /cvs/openssh/auth1.c,v >retrieving revision 1.127 >diff -u -p -r1.127 auth1.c >--- auth1.c 31 Aug 2010 12:36:39 -0000 1.127 >+++ auth1.c 22 Feb 2011 21:32:18 -0000 >@@ -98,6 +98,54 @@ static const struct AuthMethod1 > return (NULL); > } > >+static const struct AuthMethod1 * >+lookup_authmethod1_by_name(const char *name) >+{ >+ int i; >+ >+ for (i = 0; auth1_methods[i].name != NULL; i++) >+ if (strcmp(auth1_methods[i].name, name) == 0) >+ return (&(auth1_methods[i])); >+ >+ return NULL; >+} >+ >+#define DELIM "," >+int >+auth1_check_required(const char *list) >+{ >+ char *orig_methods, *methods, *cp; >+ static const struct AuthMethod1 *m; >+ int ret = 0; >+ >+ orig_methods = methods = xstrdup(list); >+ for(;;) { /* XXX maybe: while ((cp = ...) != NULL) ? */ >+ if ((cp = strsep(&methods, DELIM)) == NULL) >+ break; >+ debug2("auth1_check_required: method \"%s\"", cp); >+ if (*cp == '\0') { >+ debug("auth1_check_required: empty method"); >+ ret = -1; >+ } >+ if ((m = lookup_authmethod1_by_name(cp)) == NULL) { >+ debug("auth1_check_required: unknown method " >+ "\"%s\"", cp); >+ ret = -1; >+ } >+ if (*(m->enabled) == 0) { >+ debug("auth1_check_required: method %s explicitly " >+ "disabled", cp); >+ ret = -1; >+ } >+ /* Activate method if it isn't already */ >+ if (*(m->enabled) == -1) >+ *(m->enabled) = 1; >+ } >+ xfree(orig_methods); >+ return (ret); >+} >+ >+ > static char * > get_authname(int type) > { >@@ -237,6 +285,7 @@ do_authloop(Authctxt *authctxt) > { > int authenticated = 0; > char info[1024]; >+ const char *meth_name; > int prev = 0, type = 0; > const struct AuthMethod1 *meth; > >@@ -244,7 +293,7 @@ do_authloop(Authctxt *authctxt) > authctxt->valid ? "" : "invalid user ", authctxt->user); > > /* If the user has no password, accept authentication immediately. */ >- if (options.permit_empty_passwd && options.password_authentication && >+ if (options.permit_empty_passwd && options.password_authentication && options.password_authentication && > #ifdef KRB5 > (!options.kerberos_authentication || options.kerberos_or_local_passwd) && > #endif >@@ -253,7 +302,7 @@ do_authloop(Authctxt *authctxt) > if (options.use_pam && (PRIVSEP(do_pam_account()))) > #endif > { >- auth_log(authctxt, 1, "without authentication", ""); >+ auth_log(authctxt, 1, "without authentication", NULL, ""); > return; > } > } >@@ -272,6 +321,7 @@ do_authloop(Authctxt *authctxt) > /* Get a packet from the client. */ > prev = type; > type = packet_read(); >+ meth_name = get_authname(type); > > /* > * If we started challenge-response authentication but the >@@ -287,8 +337,8 @@ do_authloop(Authctxt *authctxt) > if (authctxt->failures >= options.max_authtries) > goto skip; > if ((meth = lookup_authmethod1(type)) == NULL) { >- logit("Unknown message during authentication: " >- "type %d", type); >+ logit("Unknown message during authentication: type %d", >+ type); > goto skip; > } > >@@ -297,6 +347,17 @@ do_authloop(Authctxt *authctxt) > goto skip; > } > >+ /* >+ * Skip methods not in required list, until all the required >+ * ones are done >+ */ >+ if (options.required_auth1 != NULL && >+ !auth_method_in_list(options.required_auth1, meth_name)) { >+ debug("Skipping method \"%s\" until required " >+ "authentication completed", meth_name); >+ goto skip; >+ } >+ > authenticated = meth->method(authctxt, info, sizeof(info)); > if (authenticated == -1) > continue; /* "postponed" */ >@@ -352,7 +413,29 @@ do_authloop(Authctxt *authctxt) > > skip: > /* Log before sending the reply */ >- auth_log(authctxt, authenticated, get_authname(type), info); >+ auth_log(authctxt, authenticated, meth_name, NULL, info); >+ >+ /* Loop until the required authmethods are done */ >+ if (authenticated && options.required_auth1 != NULL) { >+ if (auth_remove_from_list(&options.required_auth1, >+ meth_name) != 1) >+ fatal("INTERNAL ERROR: authenticated method " >+ "\"%s\" not in required list \"%s\"", >+ meth_name, options.required_auth1); >+ debug2("do_authloop: required list now: %s", >+ options.required_auth1 == NULL ? >+ "DONE" : options.required_auth1); >+ if (options.required_auth1 == NULL) >+ return; >+ authenticated = 0; >+ /* >+ * Disable method so client can't authenticate with it >+ * after the required authentications are complete. >+ */ >+ *(meth->enabled) = 0; >+ packet_send_debug("Further authentication required"); >+ goto send_fail; >+ } > > if (client_user != NULL) { > xfree(client_user); >@@ -368,6 +451,7 @@ do_authloop(Authctxt *authctxt) > #endif > packet_disconnect(AUTH_FAIL_MSG, authctxt->user); > } >+ send_fail: > > packet_start(SSH_SMSG_FAILURE); > packet_send(); >Index: auth2.c >=================================================================== >RCS file: /cvs/openssh/auth2.c,v >retrieving revision 1.152 >diff -u -p -r1.152 auth2.c >--- auth2.c 31 Aug 2010 12:36:39 -0000 1.152 >+++ auth2.c 22 Feb 2011 21:32:22 -0000 >@@ -215,7 +215,7 @@ input_userauth_request(int type, u_int32 > { > Authctxt *authctxt = ctxt; > Authmethod *m = NULL; >- char *user, *service, *method, *style = NULL; >+ char *user, *service, *method, *active_methods, *style = NULL; > int authenticated = 0; > > if (authctxt == NULL) >@@ -276,22 +276,31 @@ input_userauth_request(int type, u_int32 > authctxt->postponed = 0; > > /* try to authenticate user */ >- m = authmethod_lookup(method); >- if (m != NULL && authctxt->failures < options.max_authtries) { >- debug2("input_userauth_request: try method %s", method); >- authenticated = m->userauth(authctxt); >- } >- userauth_finish(authctxt, authenticated, method); >+ active_methods = authmethods_get(); >+ if (strcmp(method, "none") == 0 || >+ auth_method_in_list(active_methods, method)) { >+ m = authmethod_lookup(method); >+ if (m != NULL) { >+ debug2("input_userauth_request: try method %s", method); >+ authenticated = m->userauth(authctxt); >+ } > >+ } >+ xfree(active_methods); >+ userauth_finish(authctxt, authenticated, method, NULL); >+ > xfree(service); > xfree(user); > xfree(method); > } > > void >-userauth_finish(Authctxt *authctxt, int authenticated, char *method) >+userauth_finish(Authctxt *authctxt, int authenticated, const char *method, >+ const char *submethod) > { > char *methods; >+ Authmethod *m = NULL; >+ u_int partial = 0; > > if (!authctxt->valid && authenticated) > fatal("INTERNAL ERROR: authenticated invalid user %s", >@@ -329,12 +338,42 @@ userauth_finish(Authctxt *authctxt, int > #endif /* _UNICOS */ > > /* Log before sending the reply */ >- auth_log(authctxt, authenticated, method, " ssh2"); >+ auth_log(authctxt, authenticated, method, submethod, " ssh2"); > > if (authctxt->postponed) > return; > >- /* XXX todo: check if multiple auth methods are needed */ >+ /* Handle RequiredAuthentications2: loop until required methods done */ >+ if (authenticated && options.required_auth2 != NULL) { >+ if ((m = authmethod_lookup(method)) == NULL) >+ fatal("INTERNAL ERROR: authenticated method " >+ "\"%s\" unknown", method); >+ if (auth_remove_from_list(&options.required_auth2, method) != 1) >+ fatal("INTERNAL ERROR: authenticated method " >+ "\"%s\" not in required list \"%s\"", >+ method, options.required_auth2); >+ debug2("userauth_finish: required list now: %s", >+ options.required_auth2 == NULL ? >+ "DONE" : options.required_auth2); >+ /* >+ * if authenticated and no more required methods >+ * then declare success >+ */ >+ if ( authenticated && options.required_auth2 == NULL ) { >+ debug2("userauth_finish: authenticated and no more required methods"); >+ } else { >+ /* >+ * Disable method so client can't authenticate with it after >+ * the required authentications are complete. >+ */ >+ if (m->enabled != NULL) >+ *(m->enabled) = 0; >+ authenticated = 0; >+ partial = 1; >+ goto send_fail; >+ } >+ } >+ > if (authenticated == 1) { > /* turn off userauth */ > dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); >@@ -344,7 +383,6 @@ userauth_finish(Authctxt *authctxt, int > /* now we can break out */ > authctxt->success = 1; > } else { >- > /* Allow initial try of "none" auth without failure penalty */ > if (authctxt->attempt > 1 || strcmp(method, "none") != 0) > authctxt->failures++; >@@ -354,10 +392,11 @@ userauth_finish(Authctxt *authctxt, int > #endif > packet_disconnect(AUTH_FAIL_MSG, authctxt->user); > } >+ send_fail: > methods = authmethods_get(); > packet_start(SSH2_MSG_USERAUTH_FAILURE); > packet_put_cstring(methods); >- packet_put_char(0); /* XXX partial success, unused */ >+ packet_put_char(partial); > packet_send(); > packet_write_wait(); > xfree(methods); >@@ -371,6 +410,9 @@ authmethods_get(void) > char *list; > int i; > >+ if (options.required_auth2 != NULL) >+ return xstrdup(options.required_auth2); >+ > buffer_init(&b); > for (i = 0; authmethods[i] != NULL; i++) { > if (strcmp(authmethods[i]->name, "none") == 0) >@@ -403,5 +445,45 @@ authmethod_lookup(const char *name) > debug2("Unrecognized authentication method name: %s", > name ? name : "NULL"); > return NULL; >+} >+ >+#define DELIM "," >+ >+int >+auth2_check_required(const char *list) >+{ >+ char *orig_methods, *methods, *cp; >+ struct Authmethod *m; >+ int i, ret = 0; >+ >+ orig_methods = methods = xstrdup(list); >+ for(;;) { >+ if ((cp = strsep(&methods, DELIM)) == NULL) >+ break; >+ debug2("auth2_check_required: method \"%s\"", cp); >+ if (*cp == '\0') { >+ debug("auth2_check_required: empty method"); >+ ret = -1; >+ } >+ for (i = 0; authmethods[i] != NULL; i++) >+ if (strcmp(cp, authmethods[i]->name) == 0) >+ break; >+ if ((m = authmethods[i]) == NULL) { >+ debug("auth2_check_required: unknown method " >+ "\"%s\"", cp); >+ ret = -1; >+ break; >+ } >+ if (m->enabled == NULL || *(m->enabled) == 0) { >+ debug("auth2_check_required: method %s explicitly " >+ "disabled", cp); >+ ret = -1; >+ } >+ /* Activate method if it isn't already */ >+ if (*(m->enabled) == -1) >+ *(m->enabled) = 1; >+ } >+ xfree(orig_methods); >+ return (ret); > } > >Index: auth2-none.c >=================================================================== >RCS file: /cvs/openssh/auth2-none.c,v >retrieving revision 1.21 >diff -u -p -r1.21 auth2-none.c >--- auth2-none.c 26 Jun 2010 00:01:33 -0000 1.21 >+++ auth2-none.c 22 Feb 2011 21:32:25 -0000 >@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt) > { > none_enabled = 0; > packet_check_eom(); >- if (options.permit_empty_passwd && options.password_authentication) >+ if (options.permit_empty_passwd && options.password_authentication && options.required_auth2 == NULL) > return (PRIVSEP(auth_password(authctxt, ""))); > return (0); > } >Index: auth2-chall.c >=================================================================== >RCS file: /cvs/openssh/auth2-chall.c,v >retrieving revision 1.38 >diff -u -p -r1.38 auth2-chall.c >--- auth2-chall.c 28 Jan 2009 05:13:39 -0000 1.38 >+++ auth2-chall.c 22 Feb 2011 21:32:29 -0000 >@@ -341,8 +341,8 @@ input_userauth_info_response(int type, u > auth2_challenge_start(authctxt); > } > } >- userauth_finish(authctxt, authenticated, method); >- xfree(method); >+ userauth_finish(authctxt, authenticated, "keyboard-interactive", >+ kbdintctxt->device->name); > } > > void >Index: auth2-gss.c >=================================================================== >RCS file: /cvs/openssh/auth2-gss.c,v >retrieving revision 1.19 >diff -u -p -r1.19 auth2-gss.c >--- auth2-gss.c 2 Dec 2007 11:59:45 -0000 1.19 >+++ auth2-gss.c 22 Feb 2011 21:32:33 -0000 >@@ -161,7 +161,7 @@ input_gssapi_token(int type, u_int32_t p > } > authctxt->postponed = 0; > dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); >- userauth_finish(authctxt, 0, "gssapi-with-mic"); >+ userauth_finish(authctxt, 0, "gssapi-with-mic", NULL); > } else { > if (send_tok.length != 0) { > packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); >@@ -249,7 +249,7 @@ input_gssapi_exchange_complete(int type, > dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); > dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); > dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); >- userauth_finish(authctxt, authenticated, "gssapi-with-mic"); >+ userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); > } > > static void >@@ -289,7 +289,7 @@ input_gssapi_mic(int type, u_int32_t ple > dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); > dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); > dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); >- userauth_finish(authctxt, authenticated, "gssapi-with-mic"); >+ userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); > } > > Authmethod method_gssapi = { >Index: monitor.c >=================================================================== >RCS file: /cvs/openssh/monitor.c,v >retrieving revision 1.144 >diff -u -p -r1.144 monitor.c >--- monitor.c 10 Sep 2010 01:23:34 -0000 1.144 >+++ monitor.c 22 Feb 2011 21:32:37 -0000 >@@ -342,7 +342,8 @@ void > monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) > { > struct mon_table *ent; >- int authenticated = 0; >+ int no_increment, authenticated = 0; >+ char **req_auth; > > debug3("preauth child monitor started"); > >@@ -353,12 +354,14 @@ monitor_child_preauth(Authctxt *_authctx > > if (compat20) { > mon_dispatch = mon_dispatch_proto20; >+ req_auth = &options.required_auth2; > > /* Permit requests for moduli and signatures */ > monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); > monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); > } else { > mon_dispatch = mon_dispatch_proto15; >+ req_auth = &options.required_auth1; > > monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1); > } >@@ -366,6 +369,7 @@ monitor_child_preauth(Authctxt *_authctx > /* The first few requests do not require asynchronous access */ > while (!authenticated) { > auth_method = "unknown"; >+ no_increment = 1; > authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); > if (authenticated) { > if (!(ent->flags & MON_AUTHDECIDE)) >@@ -387,11 +391,23 @@ monitor_child_preauth(Authctxt *_authctx > } > #endif > } >+ /* Loop until the required authmethods are done */ >+ if (authenticated && *req_auth != NULL) { >+ if (auth_remove_from_list(req_auth, auth_method) != 1) >+ fatal("INTERNAL ERROR: authenticated method " >+ "\"%s\" not in required list \"%s\"", >+ auth_method, *req_auth); >+ debug2("monitor_child_preauth: required list now: %s", >+ *req_auth == NULL ? "DONE" : *req_auth); >+ if (*req_auth != NULL) >+ authenticated = 0; >+ no_increment = 1; >+ } > > if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { >- auth_log(authctxt, authenticated, auth_method, >+ auth_log(authctxt, authenticated, auth_method, NULL, > compat20 ? " ssh2" : ""); >- if (!authenticated) >+ if (!authenticated && !no_increment) > authctxt->failures++; > } > #ifdef JPAKE >@@ -1066,7 +1082,8 @@ mm_answer_keyallowed(int sock, Buffer *m > hostbased_chost = chost; > } else { > /* Log failed attempt */ >- auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : ""); >+ auth_log(authctxt, 0, auth_method, NULL, >+ compat20 ? " ssh2" : ""); > xfree(blob); > xfree(cuser); > xfree(chost); >Index: servconf.c >=================================================================== >RCS file: /cvs/openssh/servconf.c,v >retrieving revision 1.209 >diff -u -p -r1.209 servconf.c >--- servconf.c 20 Nov 2010 04:19:38 -0000 1.209 >+++ servconf.c 22 Feb 2011 21:32:41 -0000 >@@ -42,6 +42,8 @@ > #include "key.h" > #include "kex.h" > #include "mac.h" >+#include "hostfile.h" >+#include "auth.h" > #include "match.h" > #include "channels.h" > #include "groupaccess.h" >@@ -130,6 +132,8 @@ initialize_server_options(ServerOptions > options->authorized_keys_file2 = NULL; > options->num_accept_env = 0; > options->permit_tun = -1; >+ options->required_auth1 = NULL; >+ options->required_auth2 = NULL; > options->num_permitted_opens = -1; > options->adm_forced_command = NULL; > options->chroot_directory = NULL; >@@ -323,6 +327,7 @@ typedef enum { > sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, > sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, > sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, >+ sRequiredAuthentications1, sRequiredAuthentications2, > sMatch, sPermitOpen, sForceCommand, sChrootDirectory, > sUsePrivilegeSeparation, sAllowAgentForwarding, > sZeroKnowledgePasswordAuthentication, sHostCertificate, >@@ -451,6 +456,8 @@ static struct { > { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, > { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, > { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, >+ { "requiredauthentications1", sRequiredAuthentications1 }, >+ { "requiredauthentications2", sRequiredAuthentications2 }, > { "ipqos", sIPQoS, SSHCFG_ALL }, > { NULL, sBadOption, 0 } > }; >@@ -1229,6 +1236,33 @@ process_server_config_line(ServerOptions > filename, linenum); > else > options->max_startups = options->max_startups_begin; >+ break; >+ >+ >+ case sRequiredAuthentications1: >+ charptr = &options->required_auth1; >+ arg = strdelim(&cp); >+ if (auth1_check_required(arg) != 0) >+ fatal("%.200s line %d: Invalid required authentication " >+ "list", filename, linenum); >+ if (!arg || *arg == '\0') >+ fatal("%.200s line %d: Missing argument.", >+ filename, linenum); >+ if (*charptr == NULL) >+ *charptr = xstrdup(arg); >+ break; >+ >+ case sRequiredAuthentications2: >+ charptr = &options->required_auth2; >+ arg = strdelim(&cp); >+ if (auth2_check_required(arg) != 0) >+ fatal("%.200s line %d: Invalid required authentication " >+ "list", filename, linenum); >+ if (!arg || *arg == '\0') >+ fatal("%.200s line %d: Missing argument.", >+ filename, linenum); >+ if (*charptr == NULL) >+ *charptr = xstrdup(arg); > break; > > case sMaxAuthTries: >Index: servconf.h >=================================================================== >RCS file: /cvs/openssh/servconf.h,v >retrieving revision 1.87 >diff -u -p -r1.87 servconf.h >--- servconf.h 20 Nov 2010 04:19:38 -0000 1.87 >+++ servconf.h 22 Feb 2011 21:32:44 -0000 >@@ -148,6 +148,9 @@ typedef struct { > char *authorized_keys_file; /* File containing public keys */ > char *authorized_keys_file2; > >+ char *required_auth1; /* Required, but not sufficient */ >+ char *required_auth2; >+ > char *adm_forced_command; > > int use_pam; /* Enable auth via PAM */ >Index: sshd_config.5 >=================================================================== >RCS file: /cvs/openssh/sshd_config.5,v >retrieving revision 1.138 >diff -u -p -r1.138 sshd_config.5 >--- sshd_config.5 26 Dec 2010 03:26:48 -0000 1.138 >+++ sshd_config.5 22 Feb 2011 21:32:49 -0000 >@@ -702,15 +702,12 @@ keyword. > Available keywords are > .Cm AllowAgentForwarding , > .Cm AllowTcpForwarding , >-.Cm AuthorizedKeysFile , >-.Cm AuthorizedPrincipalsFile , > .Cm Banner , > .Cm ChrootDirectory , > .Cm ForceCommand , > .Cm GatewayPorts , > .Cm GSSAPIAuthentication , > .Cm HostbasedAuthentication , >-.Cm HostbasedUsesNameFromPacketOnly , > .Cm KbdInteractiveAuthentication , > .Cm KerberosAuthentication , > .Cm MaxAuthTries , >@@ -719,7 +716,8 @@ Available keywords are > .Cm PermitEmptyPasswords , > .Cm PermitOpen , > .Cm PermitRootLogin , >-.Cm PermitTunnel , >+.Cm RequiredMethods1, >+.Cm RequiredMethods2, > .Cm PubkeyAuthentication , > .Cm RhostsRSAAuthentication , > .Cm RSAAuthentication , >@@ -727,6 +725,21 @@ Available keywords are > .Cm X11Forwarding > and > .Cm X11UseLocalHost . >+.It Cm RequiredMethods[12] >+ Requires two authentication methods to succeed before authorizing the connection. >+ (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2) >+ >+ RequiredAuthentications1 method[,method...] >+ RequiredAuthentications2 method[,method...] >+ >+.Pp >+Example 1: >+ >+ RequiredAuthentications2 password,hostbased >+ >+Example 2: >+ RequiredAuthentications2 publickey,password >+ > .It Cm MaxAuthTries > Specifies the maximum number of authentication attempts permitted per > connection. >@@ -911,12 +924,21 @@ is identical to > Specifies whether public key authentication is allowed. > The default is > .Dq yes . >-Note that this option applies to protocol version 2 only. >-.It Cm RevokedKeys >-Specifies a list of revoked public keys. >-Keys listed in this file will be refused for public key authentication. >-Note that if this file is not readable, then public key authentication will >-be refused for all users. >+.It Cm RequiredMethods[12] >+ Requires two authentication methods to succeed before authorizing the connection. >+ (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2) >+ >+ RequiredAuthentications1 method[,method...] >+ RequiredAuthentications2 method[,method...] >+ >+.Pp >+Example 1: >+ >+ RequiredAuthentications2 password,hostbased >+ >+Example 2: >+ RequiredAuthentications2 publickey,password >+ > .It Cm RhostsRSAAuthentication > Specifies whether rhosts or /etc/hosts.equiv authentication together > with successful RSA host authentication is allowed. >@@ -992,22 +1014,6 @@ This avoids infinitely hanging sessions. > .Pp > To disable TCP keepalive messages, the value should be set to > .Dq no . >-.It Cm TrustedUserCAKeys >-Specifies a file containing public keys of certificate authorities that are >-trusted to sign user certificates for authentication. >-Keys are listed one per line; empty lines and comments starting with >-.Ql # >-are allowed. >-If a certificate is presented for authentication and has its signing CA key >-listed in this file, then it may be used for authentication for any user >-listed in the certificate's principals list. >-Note that certificates that lack a list of principals will not be permitted >-for authentication using >-.Cm TrustedUserCAKeys . >-For more details on certificates, see the >-.Sx CERTIFICATES >-section in >-.Xr ssh-keygen 1 . > .It Cm UseDNS > Specifies whether > .Xr sshd 8
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1999">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 983
:
807
|
941
|
1121
|
1122
|
1123
|
1455
|
1518
|
1521
|
1567
|
1667
|
1768
|
1955
|
1999
|
2079
|
2084
|
2096
|
2138
|
2177
|
2178
|
2192
|
2196